6281-S2 AMH SMIN BAKY 159

  

2SSB 6281 - H AMD TO ITED COMM AMD (H-5242.1/20) 2155

By Representative Smith

NOT ADOPTED 03/06/2020

On page 3, line 19 of the striking amendment, after "(4)" insert ""Chief privacy officer" means the person appointed under RCW 43.105.369(2).

(5)"

Renumber the remaining subsections consecutively and correct any internal reference accordingly.

On page 3, line 36 of the striking amendment, after "(9)" insert "(a) "Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal data of a consumer with whom the business does not have a direct relationship.

(b) The following activities conducted by a business do not qualify the business as a data broker:

(i) Furnishing a consumer report, as defined in 15 U.S.C. Sec. 1681a(d), by a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a(f);

(ii) Collecting or disclosing nonpublic personal information, as defined in 15 U.S.C. Sec. 6809(4), by a financial institution, as defined in 15 U.S.C. Sec. 6809(3), in a manner than is regulated under the federal Gramm Leach Bliley act, P.L. 106-102, and implementing regulations;

(iii) Providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier; or

(iv) Providing publicly available information via real-time or near real-time alert services for health or safety purposes.

(10)"

Renumber the remaining subsections consecutively and correct any internal references accordingly.

On page 21, after line 15 of the striking amendment, insert the following:

"NEW SECTION. Sec. 11. DATA BROKER REGISTRATION. (1) Annually, on or before January 31st following a year in which a business meets the definition of data broker as provided in section 3 of this act, a data broker shall:

(a) Register with the chief privacy officer;

(b) Pay a registration fee of two hundred fifty dollars to the chief privacy officer; and

(c) Provide the following information to the chief privacy officer:

(i) The name and primary physical, email, and internet addresses of the data broker;

(ii) If the data broker permits a consumer to opt out of the data broker's collection of personal data, opt out of its databases, or opt out of certain sales of data:

(A) The method for requesting an opt-out;

(B) If the opt-out applies to only certain activities or sales, a statement specifying to which activities or sales the opt-out applies;

(C) Whether the data broker permits a consumer to authorize a third party to opt out on the consumer's behalf;

(D) A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

(iii) Whether the data broker implements a purchaser credentialing process;

(iv) Where the data broker has actual knowledge that it possesses the personal data of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the personal data of minors; and

(v) Any additional data that the data broker chooses to provide concerning its data collection practices.

(2) The chief privacy officer is authorized to coordinate with a third party for the purpose of collecting the registration fee under subsection (1)(b) of this section.

(3) A data broker that fails to fulfill the requirements of subsection (1) of this section is subject to:

(a) A civil penalty of fifty dollars for each day, not to exceed a total of ten thousand dollars for each year it fails to register pursuant to this section;

(b) A fine equal to the fees due under this section during the period it failed to register pursuant to this section; and

(c) Other penalties imposed by law.

(4) The attorney general may maintain an action to collect the penalties imposed in this section and to seek appropriate injunctive relief."

Renumber the remaining sections consecutively and correct any internal references accordingly.

On page 26, line 4 of the striking amendment, after "through" strike "18 and 20" and insert "19 and 21"

EFFECT:   Adds the definitions of "Chief Privacy Officer" and "data broker." Requires data brokers to register annually with the Chief Privacy Officer and disclose certain information regarding their practices.

--- END ---